Introduction
Cybersecurity continues to raise red flags among investment advisers and their government regulators. According to a recent Investment Adviser Association and Cerulli Associates poll, 97 percent of surveyed registered investment adviser executives cited cybersecurity compliance as a priority concern and 93 percent noted increased related regulatory pressure. Their concern is not unfounded. As a continuation of an ongoing trend over the past few years, the U.S. Securities and Exchange Commission (SEC) and Financial Industry Regulatory Authority (FINRA) included cybersecurity among their 2017 examination priorities. This article will address the regulatory cybersecurity framework applicable to investment advisers and what steps advisers can take to combat cyber attacks.
Background
Over the past few years, the SEC and FINRA, the chief regulators of investment funds and advisers, have demonstrated continued interest in cybersecurity.
In April 2014, the SEC Office of Compliance, Investigations and Examinations (OCIE) launched a Cybersecurity Initiative, conducting a series of examinations of registered investment advisers and broker-dealers to identify cybersecurity risks. In September of the following year, OCIE announced its 2015 Cybersecurity Examination Initiative, with a focus on the following areas: (i) governance and risk assessment, (ii) access rights and controls, (iii) data loss prevention, (iv) vendor management, (v) training, and (vi) incident response. That same year, FINRA released a Report on Cybersecurity Practices, detailing practices that firms can tailor to their business models to advance cybersecurity efforts. OCIE continued to advance the efforts of its Initiatives in 2016, reviewing in particular the technical sufficiency of respondents’ security programs.
Cybersecurity will remain on regulators’ radar. On January 12, 2017, both the SEC and FINRA released their 2017 examination priorities. The SEC announced that it will continue its ongoing initiative to examine, including “testing the implementation of,” investment adviser and broker dealers’ cybersecurity compliance procedures and controls. FINRA will similarly pay close attention over the course of the year to cybersecurity risks and firms’ programs to mitigate those risks.
Governance and Risk Assessment
The best way of mitigating the impact of security breaches is to seek to reduce the number that actually occur. Investment advisers should have cybersecurity governance and risk assessment procedures to prescribe perimeter and other defenses. These procedures should include implementation of written policies tailored to business operations and communication of plans to and from senior management. While no amount of security can thwart a determined, well-equipped and sophisticated hacker, organizing and implementing even a basic defense can ward off more run-of-the-mill intruders.
Governance and risk assessment requirements are codified in the federal laws governing investment advisers. For example, the Gramm-Leach-Bliley Act (GLBA) “Safeguards Rule” requires financial institutions to establish a written information security program (WISP), designate an employee to coordinate its WISP, identify and assess risks to customers’ non-public personal information, and regularly test and evaluate the effectiveness of current safeguards. The GLBA is administered and enforced by several federal agencies, including the SEC via Regulation S-P. Rule 30 of Regulation S-P requires registered investment advisers, investment companies, and broker dealers to adopt written procedures to insure the confidentiality and protect against anticipated threats to the security of customer records or information.
In April 2015, the SEC’s Investment Management Division released a guidance based on OCIE’s 2014 examinations. In addition to periodic assessments of cybersecurity readiness, the guidance recommended that investment funds and advisers create and implement a cybersecurity response strategy through written policies that include access control, data encryption, restrictions on the use of removable storage media, data backup and retrieval, and an incident response plan. In the guidance, the SEC encouraged investment funds and advisers addressing these cybersecurity concerns to review the NIST Cybersecurity Framework, which is currently being updated. Investment advisers are required to review the adequacy of their policies and the effectiveness of their implementation at least annually pursuant to Rule 206(4)-7 of the Investment Advisers Act of 1940.
Notwithstanding the foregoing paragraph, it is important to note that while federal guidelines may be useful, there is no “one size fits all” with regard to cybersecurity compliance. Individual advisers, smaller firms, and branch offices are limited in financial and human resources allocable to cybersecurity defense. Additionally, the rapid pace of technology has engendered an ongoing technical struggle between hackers and their targets and staying on the cutting edge can be an expensive prospect. As FINRA noted in its recent Regulatory and Examination Priorities Letter, investment advisers must tailor their cybersecurity programs to their specific business model, size, and risk profile.
Consequences of failing to comply with the Safeguard Rule include loss of clients, private lawsuits from former clients, reputational damage, and civil penalties. The latter may be imposed even where no pecuniary losses can be shown. For example, in September 2015, one St. Louis–based investment adviser, R.T. Jones Capital Equities, settled an investigation with the SEC for $75,000. R.T. Jones had suffered a breach of its server, resulting in the leak of personally identifiable information (PII) of 100,000 individuals. While the SEC found no evidence that the firm’s clients were financially harmed, it concluded R.T. Jones had violated Rule 30(a) of Regulation S-P by having no written policies or procedures in place to reasonable protect client data.
Several states have gone further than federal regulators, imposing more stringent data security requirements on financial institutions. For example, while the GLBA applies only to customer information, Massachusetts’s “Standards for the Protection of Personal Information of Residents of the Commonwealth” apply to both employee as well as customer information. Massachusetts’s Standards also provide a list of items a WISP should contain, require encryption of personal information and limit the amount of information financial institutions are allowed to collect. New York’s recent “Cybersecurity Requirements for Financial Services Companies” require that financial institutions designate a Chief Information Security Officer, encrypt all “nonpublic” data and annually certify compliance with the regulations. While the regulations do not directly apply to investment advisers (which are not licensed by the New York Department of Financial Services), they may serve as a harbinger of future state-registered investment adviser requirements.
Access Rights and Controls
In its 2015 Cybersecurity Examination Initiative, OCIE noted that security breaches can stem from the failure to implement even basic controls to prevent unauthorized system or information access. Controls on onsite and offsite access to systems and data include management of user credentials and authentication and authorization methods.
“Man-in-the-middle” attacks—where a fraudster tricks (in the context of investment funds) a general partner or a limited partner into wiring a contribution intended for a fund or a distribution intended for a limited partner to a third party—are particularly threatening to investment advisers. Theft of client bank account information or an adviser’s private client list are also causes for concern, particularly where sensitive data is later exposed to the public.
Every investment adviser, large or small should ideally require multifactor user authentication to access their networks. Multifactor authentication refers to the use of at least two of the following categories: knowledge factors, location factors, time factors, possession factors, and inheritance factors. The knowledge factor is the most common type of authentication and requires users to provide an individualized piece of information, such as a password, pin code, or answers to security questions. The location factor cross-references a user’s current physical location against the user’s pre-registered location and the time factor cross-references the timing of user logins. The possession factor requires users to possess a specific item, such as a previously identified mobile device, computer, security card, or thumb drive. The inheritance factor involves biometric information that is inherently unique to each user, such as fingerprint, iris or facial pattern recognition.
Once relegated to the realm of Mission Impossible, biometric validation is now available on ordinary smartphones and is gaining traction among investment advisers and other financial institutions. For example, following a cybersecurity audit, Capital Advisors Ltd., an Ohio-based investment adviser, implemented fingerprint scans in addition to password protection for users to access its network. Validation processes are still in development however, and biometric validation is far from foolproof. Investment advisers deciding among biometric validation programs should bear in mind whether their relevant computer systems are more sensitive to false negatives (e.g., a repository of investors’ bank account information) or false positives (e.g., a system with high user traffic containing more mundane information).
As important as multifactor user authentication is the maintenance of a secure database of login information and updates to access rights based on personnel or system changes. Single sign-on software that logs into linked applications with a master identity can help investment advisers change large number of passwords at once rather than on an individual basis.
In addition to multifactor authentication and protocols for login issues, investment advisers can use firewalls and perimeter defenses to defend against breaches. Investment advisers should also conduct “hardening,” which generally refers to the reduction of security risks by removing unnecessary software, utilities, devices, or services. If a user account is compromised, multi-tiered approval processes (for example, those needed to access customer accounts or make distributions) may prevent serious harm from ensuing. On the system level, a virtual local area network segmentation, which creates a collection of isolated networks within a data center, can mitigate the damage a hacker could unleash.
Data Loss Prevention
In its 2015 Cybersecurity Examination Initiative, OCIE indicated that it would assess how investment advisers and broker-dealers monitor the volume of content transferred outside of the firm by its employees or through third parties, such as via email attachments or uploads. Customer data, especially PII, should be encrypted, whether transmitted or stored.
Investment advisers can address OCIE’s concerns by implementing a data loss prevention (DLP) strategy. DLP refers to the process for preventing the transfer of information outside of a corporate network. DLP software products use algorithms to classify and protect confidential and critical information. For instance, if an employee attempted to forward a business email outside of the firm’s email domain or upload a file to cloud storage (such as Dropbox or Google Drive), the employee would be automatically denied access, or an administrator password would be required. In addition to being able to monitor and control endpoint activities, some DLP tools can also be used to filter data streams on the corporate network and protect data in motion.
Two particular areas of DLP that OCIE emphasized are patch management and system configuration. Patch management and system configuration involves acquiring, testing, and installing multiple code changes (“patches”) to an investment adviser’s computer systems. System administrators should (i) maintain an updated inventory of all production systems (including operating system types, IP addresses, physical location, custodian, and function); (ii) standardize (to the extent possible) production systems to the same operating system and software; (iii) assess and compare reported vulnerabilities against inventory (e.g., estimating the cost of mitigation or recovery or checking whether an affected system is within a perimeter firewall); and (iv) deploy patches as needed.
As the name implies, patches are “patch-up jobs,” rather than comprehensive overhauls of a firm’s computer network, and can sometimes cause more problems than they fix. System administrators should take simple measures to avoid issues, like performing backups and testing patches on non-critical systems. In addition to running patches, investment advisers should regularly update their cybersecurity programs, whether configuring software to automatically download security updates or keeping on the lookout for newer and more advanced programs.
The importance of DLP to investment advisers has seen recent publicity. In June 2016, Morgan Stanley Smith Barney LLC (MSSB) was fined $1,000,000 for having violated the Safeguards Rule. Between 2011 and 2014, a MSSB employee impermissibly accessed and transferred data regarding 730,000 MSSB accounts to his personal server, which was then hacked by third parties. The SEC found that while the firm used modules to operationalize the restrictions set forth in its security policy, the modules did not effectively limit employee access to data and MSSB failed to test the modules or monitor user activity in applications where PII was stored.
Vendor Management
“Vendor management,” in the context of the Investment Management Division’s guidance, refers to an investment adviser’s actual vendor due diligence, monitoring and oversight, as well as the terms of the adviser’s vendor contracts. Appropriate vendor management and oversight is an area of critical importance, especially to larger firms that engage a large number of third-party service providers.
The first line of defense in vendor cybersecurity risk are vendor contracts. Investment advisers’ vendor contracts should include data security-specific representations and warranties, as well as nondisclosure provisions. Once vendors are retained, as threshold matter investment advisers should identify all vendors that have access to personally identifiable data and ascertain what data is visible to each vendor. In accordance with system segmentation policies described above, vendors should only have access to the data needed to perform their contracted services.
Investment advisers should ideally vet vendors (especially smaller vendors) with a systematic review process, which may include (in the case of larger advisers) interviews by cybersecurity consultants, as well as questionnaires examining the vendors’ operational and security procedures. Vendors that routinely use or hold the PII of their clients’ customers should report on the key security measures they employ, and in fact many larger vendors publish white papers explaining their security standards. Established investment advisers with leverage over certain vendors may subject those vendors to an information technology audit. For larger vendors this could take the form of an AICPA Service Organization Controls report but for smaller vendors, it could be a substitute report guaranteeing satisfactory compliance with applicable security protocols.
The minimum security protocols that investment advisers should require of vendors should include password parameters, multifactor authentication for unidentified devices and encryption of data, both in transmission and at rest. Finally, while data security is the overriding concern, data availability also is critical. Data that is not available is not worthless if it cannot be accessed. Vendors should have sufficient plans for backup data centers and telecommunications lines to ensure a seamless business continuity plan. In some cases, vendors may be required to purchase cyber security insurance to provide some compensation payout in the wake of a breach.
The aforementioned best practices may apply not only to vendors but also to subcontractors and third parties that host or have regular access to investment advisers’ data, including computer support vendors. A vendor questionnaire thus should verify to what degree a vendor uses subcontractors to handle sensitive data, and in some cases, an investment adviser may conduct direct sub-contractor due diligence in addition to vendor due diligence.
Training
Training efforts focus on ways in which the investment adviser prevents data breaches result from unintentional employee actions. Often, the most egregious of consequences can be prevented when employees are attentive to detail and know how to identify warning signs.
Cyber threats have been caused by such mundane lapses in security as misplaced laptops, attachments downloaded from unknown sources, and access of client accounts through an unsecured Internet network. On March 12, 2016, a nearly $1 billion cyber theft was blocked at the last minute by a bank employee who noticed a typo in the wire instructions from a foreign bank.
FINRA, recognizing the importance of this issue, has given detailed guidance for effective staff cybersecurity training programs. First, investment advisers should clearly define their cybersecurity training needs. Second, advisers should identify appropriate cybersecurity training update cycles, such as offering training on a periodic basis. Third and finally, advisers should deliver interactive training that has been tailored to their history of cybersecurity incidents, risk assessments and cyber intelligence. Employee training will likely focus on password and confidential information (especially client PII) protection, physical and mobile security, and escalation policies.
Bearing in mind that an overload of information can be detrimental rather than helpful, FINRA suggests that investment advisers consider whether staff trainings will be mandatory or optional and whether they will be tailored towards a target audience, such as general topics for the entire firm and specific topics for management. Investment advisers without dedicated in-house training personnel may wish to consult cybersecurity consultants that offer programs and platforms to help employees become a barrier against cyber threats.
Incident Response
As important as preventing security breaches is dealing with the aftermath. Investment advisers should identify the most likely types of cybersecurity incident and attack vectors, from DDoS attacks to a network or customer account intrusion, and outline tailored response plans in their WISPs.
A response plan will include steps to contain and mitigate the collateral damage from a cybersecurity breach. Employing intrusion detection systems and intrusion prevention systems can help detect compromises in their early stages. Firms should be prepared to shut down key elements systems, disconnect attached network devices, and, where possible, remove admin rights of compromised user accounts. A response plan should not just encompass a firm’s IT department (if there is one) but should be a collaborative effort on the part of all departments. In one enforcement matter, a factor considered by FINRA was the “firm’s failure to rapidly remediate a device the firm knew was exposing [client] information to unauthorized users.” Consequently, firms must see to the prompt recovery and restoration of systems to normal operations as soon as possible.
In addition to damage mitigation, investment advisers will need to investigate the source of the attack and provide a prompt damage assessment. OCIE learned from its 2014 study that while over 80 percent of investment advisers had implemented WISPs, less than 15 percent of those WISPs addressed how advisers will determine if they are responsible for client cyber-related losses. A WISP should therefore allocate resources to conducting an investigation, determine the extent of data and monetary loss and should identify when client reimbursement is required.
Importantly, investment advisers are obligated to notify clients and regulators in the event of certain breaches. With regard to notices to clients of the loss or misuse of personally identifiable information and other sensitive data, this obligation takes on a fiduciary nature. Although not required by Regulation S-P, mandatory customer and regulator notices have been codified in the regulations of the District of Columbia and 47 states. Consequently, WISPs should allocate resources for the conduction of a timely reporting of cybersecurity incidents to clients and regulators.
Conclusion
Investment advisers have both a legal and a practical obligation to affirmatively protect their clients’ data. While an investment adviser’s size, industry, and other factors will determine what degree of protection is appropriate within the context of federal and state privacy laws, all advisers can and should take some protective measures, such as consulting a cybersecurity consultant, using authentication and encryption tools and preparing a WISP. With so much public focus on the issue and future regulations likely, taking cybersecurity precautions may be well worth the cost.